[squid-users] Re: kerberos ERROR: gss_accept_sec_context() failed: Unspecified GSS failure

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 5 Aug 2013 19:43:44 +0100

Hi Glenn,

If you follow the online guide at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will
see for win2008 a

msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/<fqdn> --server
<domain controller> --verbose --enctypes 28

i.e. the addition of --enctypes 28

Can you try that ?

Markus

"Glenn groves" <glenn.groves_at_gmail.com> wrote in message
news:CAN55zj5L1nDOf1poMhGkfMjEGpV2hFmDw5zp4aQJCfvXZAqm0Q_at_mail.gmail.com...
> Hi All,
>
>
>
> I have been setting up a new proxy, it needs to have Kerberos auth so
> that the users on the domain do not get prompted for a password - but
> are authenticated and this is to show in the logs. Sorry for the
> formatting, I tried using the bold and embed tags but they did not
> work
>
>
>
> It does not work for windows 7, windows 8 or windows 2008
>
>
>
> I have it working when I try from a windows 2003 OS, and can see the
> auth occurring in the logs:
>
>
>
> ............D1jAEc= user_at_DOMAIN.COM.AU
>
> 2013/08/05 11:48:16| squid_kerb_auth: INFO: User user_at_DOMAIN.COM.AU
> authenticated
>
>
>
> However from a windows 7 or windows 8 PC, the authentication does not
> complete and instead there is an error:
>
>
>
> 2013/08/05 11:48:31| squid_kerb_auth: ERROR: gss_accept_sec_context()
> failed: Unspecified GSS failure. Minor code may provide more
> information.
>
> 2013/08/05 11:48:31| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information.
>
>
>
> ==> /var/log/squid/cache.log <==
>
> 2013/08/05 11:48:31| squid_kerb_auth: INFO: User not authenticated
>
>
>
>
>
> Below is some information on the configuration:
>
>
>
> We are running 3 x 2008R2 domain controllers and 1 x 2003 domain
> controller, thus the domain mode is set to 2003.
>
>
>
> The krb5.conf file contains:
>
>
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = MYDOMAIN.COM.AU
>
> dns_lookup_kdc = false
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> default_keytab_name = /etc/squid/PROXY.keytab
>
> forwardable = true
>
>
>
> ; Note, because we have a 2003 domain controller, I have the 2003
> uncommented below not the 2008 with AES
>
> ; for Windows 2003
>
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
>
>
> ; for Windows 2008 with AES
>
> ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>
> ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>
> ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
>
>
> [realms]
>
> MYDOMAIN.COM.AU = {
>
> kdc = kdc1.mydomain.com.au
>
> kdc = kdc2.mydomain.com.au
>
> kdc = kdc3.mydomain.com.au
>
> kdc = kdc4.mydomain.com.au
>
> admin_server = kdc1.mydomain.com.au
>
> default_domain = mydomain.com.au
>
> }
>
>
>
> [domain_realm]
>
> .mydomain.com.au = MYDOMAIN.COM.AU
>
> mydomain.com.au = MYDOMAIN.COM.AU
>
>
>
> The squid.conf contains the following custom settings:
>
>
>
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
> HTTP/proxy.mydoamin.com.au
>
> auth_param negotiate children 10
>
> auth_param negotiate keep_alive on
>
> auth_param basic credentialsttl 2 hours
>
> acl ad_auth proxy_auth REQUIRE
>
> http_access allow ad_auth
>
> http_access allow localnet
>
>
>
> (Note: I would like to get rid of the http_access allow localnet, but
> even on 2003 when the auth works - internet access is denied without
> this line)
>
>
>
> My /etc/sysconfig/squid file has the following custom lines:
>
>
>
> KRB5_KTNAME=/etc/squid/PROXY.keytab
>
> export KRB5_KTNAME
>
>
>
> when I ran this command, the keytab was generated successfully:
>
>
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mydomain.com.au -h
> proxy.mydomain.com.au -k /etc/squid/PROXY.keytab --computer-name
> PROXYK --upn HTTP/proxy.mydomain.com.au --server dc1.mydomain.com.au
> --verbose
>
>
>
> the permissions on the keytab are below which should be fine:
>
> -rw-rw-rw-. 1 root root 1430 Aug 5 08:33 /etc/squid/PROXY.keytab
>
>
>
> In Summary, the fact windows 2003 works and gets authenticated shows
> to me that Kerberos is working, why wont windows 2008, 7 or 8 works?
>
>
>
> Thanks,
>
>
>
> Glenn
>
Received on Mon Aug 05 2013 - 18:44:07 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 06 2013 - 12:00:15 MDT